This question is related to this one, but I decided to separate it.
I have signingKey and encryptionKey settings in my grails spring saml config. What is their purpose? I read the spring-security-saml doc and grails saml plugin doc, but it's still a little bit unclear. Could anyone explain their practical usage?
You can think of them as:
signingKey = outbound requests
encryptionKey = inbound data:
i.e. the key you will use to sign outbound requests (e.g. AuthnRequest) vs. the key that your integration partners will use to encrypt assertions that are destined for you.
In the SAML metadata standard they are allowed to be the same value or you can specify different keys for each:
2.4.1.1 The element provides information about the cryptographic key(s) that an entity uses to sign data or receive encrypted keys
use [Optional]Optional attribute specifying the purpose of the key being described. Values are drawn from the KeyTypes enumeration, and consist of the valuesencryptionandsigning